The GDPR horror show

Max 'Beast from the East' Smolaks covers storage, servers and open source, as well as all the news coming out of Eastern Europe. If you find him lost on the streets of London, feed him coffee and sugar

Upcoming European regulation is going to be a disaster, but that’s okay

December 01, 2017

Chris Perrins

In May 2018, General Data Protection Regulation - a set of laws that govern data protection, privacy and security - will come into force across the European Union. Guidelines will be breached left and right, billions will be spent on fines, the rule of law itself will be questioned, and hordes of freshly unemployed marketing professionals will wander the desolate digital landscape - I might be overreacting, but more than half of businesses affected by GDPR will not be ready to comply with its requirements (Gartner).

In the beginning

European Parliament and GDPR– European Parliament/DCD

Way back in 2012 when the legal documents were first drafted, the world was a different place: it was less reliant on databases, and an average business did not have to worry about being raided by cyber criminals - since it had no valuable information to steal. In a rush to replace the previous EU directive on personal data, adopted way back in 1995, the lawmakers created a complex, all-encompassing framework. Revelations about the extent of American spying that surfaced in 2013 (thanks, Edward) did nothing to soften the stance of the EU.

As a result, GDPR includes strict rules on what ‘consent’ means; it calls for re-evaluation of privacy policies and asks for anonymization of data, even when used for testing. It introduces the controversial ‘right to erasure’ - a mechanism through which citizens can take down online content - and demands that service providers report a security breach that affects customer data within 72 hours of discovery.

Any customer will gain the right to request all data about themselves that’s being held by a business, to be supplied within a month. The entire process of handling personal data will need to be thoroughly documented. In addition, businesses that process such data on a large scale will need to appoint a data protection officer - presumably, the first person to be fired when things go south.

Personal data in this context can constitute anything: a name, an address or an email. There is no place to hide, since GDPR automatically supersedes various national laws, and the fines will leave the financial department in tears: up to four percent of the worldwide annual turnover.

Fire starters

GDPR is the burning wrath of the European Commission, a merciless crusade borne out of desire to keep 28 countries true to the vision of respect for the individual and their rights. But there’s a problem: it is 2017, and every business is a digital business. Everyone and their uncle maintains a database of customer engagements, and each of those is subject to GDPR.

Luckily, the text makes a clear distinction between data ‘controllers’ and ‘processors’ - with colocation and cloud providers falling into the second category, and not having to worry about most aspects of GDPR, other than security.

But come 2018, we will see thousands of instances of non-compliance across enterprise data centers, every week, across every European member state. Local information commissioners will need to recruit an army to deal with this avalanche. And that, in a way, is a comforting thought: when half of those subject to GDPR fail to comply, your own business is insignificant, a grain of sand on a massive online beach. Statistically speaking, you will probably be alright.